Publications

Abstract:
We put forward a new notion, function privacy in identity-based
encryption and, more generally, in functional encryption. Intuitively, our
notion asks that decryption keys reveal essentially no information on their
corresponding identities, beyond the absolute minimum necessary. This is
motivated by the need for providing predicate privacy in public-key
searchable encryption. Formalizing such a notion, however, is not
straightforward as given a decryption key it is always possible to learn
some information on its corresponding identity by testing whether it
correctly decrypts ciphertexts that are encrypted for specific identities.

In light of such an inherent difficulty, any meaningful notion of function
privacy must be based on the minimal assumption that, from the
adversary's point of view, identities that correspond to its given
decryption keys are sampled from somewhat unpredictable distributions. We
show that this assumption is in fact sufficient for obtaining a
strong and realistic notion of function privacy. Loosely speaking, our
framework requires that a decryption key corresponding to an identity
sampled from any sufficiently unpredictable distribution is
indistinguishable from a decryption key corresponding to an independently
and uniformly sampled identity.

Within our framework we develop an approach for designing function-private
identity-based encryption schemes, leading to constructions that are based
on standard assumptions in bilinear groups (DBDH, DLIN) and lattices (LWE).
In addition to function privacy, our schemes are also anonymous, and thus
yield the first public-key searchable encryption schemes that are provably
keyword private: A search key Tw enables to identify
encryptions of an underlying keyword w, while not revealing any
additional information about w beyond the minimum necessary, as long as
the keyword w is sufficiently unpredictable.